Overconfidence is the new zero-day as teams stumble through cyber simulations
(2025/11/17)
- Reference: 1763391609
- News link: https://www.theregister.co.uk/2025/11/17/immersive_cyber_resilience_report/
- Source link:
Teams that think they're ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday.
Immersive's latest Cyber Workforce Benchmark, which draws on 1.8 million exercises from the Immersive One platform and a survey of 500 cybersecurity leaders, paints a picture of an industry that has become more confident but no more capable. Immersive says 94 percent of organizations believe they can "effectively detect, respond to, and recover from a major incident," yet real-world performance in controlled drills has remained stubbornly flat.
According to the report, resilience scores haven't improved since 2023, with the median response time to complete critical cyber threat intelligence labs still coming in at 17 days – despite what Immersive describes as "record investment" and growing pressure from boards and cyber insurance carriers.
[1]
James Hadley, Immersive founder and chief innovation officer, argues that organizations are failing not for lack of effort, but because they are training for the wrong fights. "Readiness isn't a box to tick, it's a skill that's earned under pressure," he says in the report. "Organizations aren't failing to practice; they're failing to practice the right things."
[2]
[3]
Across the company's crisis-simulation drills, which involved 187 professionals in 11 global exercises, performance was consistently poor. Participants achieved just 22 percent accuracy, averaged 60 percent confidence, and took 29 hours to contain an infection, a combination the report describes as evidence that "when tested under pressure, most teams didn't fail for lack of knowledge, they failed for lack of practiced coordination."
The data also shows no improvement in the industry's basic readiness metrics. Immersive says more than 60 percent of sectors actually experienced slower response times year-over-year, and that confidence scores for "OK," "Good," and "Great" answers averaged the same (around 42.5 percent), suggesting teams cannot accurately judge their own performance despite expressing strong self-belief.
[4]
Much of the stagnation, the report argues, comes from practicing outdated threat scenarios. Immersive found that 60 percent of all training activity still focuses on vulnerabilities more than two years old, leaving teams "over-prepared for yesterday's threats" while new attacker techniques continue to evolve. Fundamental-level labs remain the most common exercises at 36 percent of usage, which the company says limits progression to intermediate and advanced readiness.
Another systemic issue is participation. Only 41 percent of organizations include non-technical roles such as legal, HR, communications, or senior executives in their cyber-response simulations. This is despite 90 percent of respondents believing their cross-functional communication during an incident is effective. Immersive's data shows the opposite: when business functions aren't rehearsed under pressure, collaboration falters and response times worsen.
[5]The race to shore up Europe's power grids against cyberattacks and sabotage
[6]Iran's school for cyberspies could've used a few more lessons in preventing breaches
[7]Pentagon decrees warfighters don't need 'frequent' cybersecurity training
[8]Schools are swotting up on security yet still flunk recovery when cyberattacks strike
Industry habits also contribute to the readiness illusion. Immersive reports that organizations overwhelmingly rely on training completion rates to measure preparedness even though completion "is not competence." Only 46 percent use resilience scores, and only 42 percent measure the number of simulations conducted, creating what the report calls "false metrics" that mask real-world capability gaps.
The report highlights a widening adaptability problem as well. Experienced practitioners perform strongly on familiar threats (roughly 80 percent accuracy in classic incident-response labs) but fall behind when faced with AI-enabled or novel attacks. Senior participation in AI-scenario labs dropped 14 percent year-over-year, while non-technical managers increased participation by 41 percent.
As Immersive puts it: "Experience teaches what to do next – until the next thing has never happened before."
[9]
Training completion itself remains inconsistent. The report notes an average completion rate of 81 percent, meaning nearly one in five participants do not finish the exercises they start.
Hadley argues the industry must shift from confidence built on assumptions to readiness grounded in evidence. "True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption."
"Experience teaches what to do next, until the next thing has never happened before," added Hadley. "Even the most seasoned teams must evolve as fast as the threats they face." ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/11/03/europe_power_grid_security/
[6] https://www.theregister.com/2025/10/27/breach_iran_ravin_academy/
[7] https://www.theregister.com/2025/10/02/pentagon_relaxes_military_cybersecurity_training/
[8] https://www.theregister.com/2025/10/01/school_cyberattack_recovery/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Immersive's latest Cyber Workforce Benchmark, which draws on 1.8 million exercises from the Immersive One platform and a survey of 500 cybersecurity leaders, paints a picture of an industry that has become more confident but no more capable. Immersive says 94 percent of organizations believe they can "effectively detect, respond to, and recover from a major incident," yet real-world performance in controlled drills has remained stubbornly flat.
According to the report, resilience scores haven't improved since 2023, with the median response time to complete critical cyber threat intelligence labs still coming in at 17 days – despite what Immersive describes as "record investment" and growing pressure from boards and cyber insurance carriers.
[1]
James Hadley, Immersive founder and chief innovation officer, argues that organizations are failing not for lack of effort, but because they are training for the wrong fights. "Readiness isn't a box to tick, it's a skill that's earned under pressure," he says in the report. "Organizations aren't failing to practice; they're failing to practice the right things."
[2]
[3]
Across the company's crisis-simulation drills, which involved 187 professionals in 11 global exercises, performance was consistently poor. Participants achieved just 22 percent accuracy, averaged 60 percent confidence, and took 29 hours to contain an infection, a combination the report describes as evidence that "when tested under pressure, most teams didn't fail for lack of knowledge, they failed for lack of practiced coordination."
The data also shows no improvement in the industry's basic readiness metrics. Immersive says more than 60 percent of sectors actually experienced slower response times year-over-year, and that confidence scores for "OK," "Good," and "Great" answers averaged the same (around 42.5 percent), suggesting teams cannot accurately judge their own performance despite expressing strong self-belief.
[4]
Much of the stagnation, the report argues, comes from practicing outdated threat scenarios. Immersive found that 60 percent of all training activity still focuses on vulnerabilities more than two years old, leaving teams "over-prepared for yesterday's threats" while new attacker techniques continue to evolve. Fundamental-level labs remain the most common exercises at 36 percent of usage, which the company says limits progression to intermediate and advanced readiness.
Another systemic issue is participation. Only 41 percent of organizations include non-technical roles such as legal, HR, communications, or senior executives in their cyber-response simulations. This is despite 90 percent of respondents believing their cross-functional communication during an incident is effective. Immersive's data shows the opposite: when business functions aren't rehearsed under pressure, collaboration falters and response times worsen.
[5]The race to shore up Europe's power grids against cyberattacks and sabotage
[6]Iran's school for cyberspies could've used a few more lessons in preventing breaches
[7]Pentagon decrees warfighters don't need 'frequent' cybersecurity training
[8]Schools are swotting up on security yet still flunk recovery when cyberattacks strike
Industry habits also contribute to the readiness illusion. Immersive reports that organizations overwhelmingly rely on training completion rates to measure preparedness even though completion "is not competence." Only 46 percent use resilience scores, and only 42 percent measure the number of simulations conducted, creating what the report calls "false metrics" that mask real-world capability gaps.
The report highlights a widening adaptability problem as well. Experienced practitioners perform strongly on familiar threats (roughly 80 percent accuracy in classic incident-response labs) but fall behind when faced with AI-enabled or novel attacks. Senior participation in AI-scenario labs dropped 14 percent year-over-year, while non-technical managers increased participation by 41 percent.
As Immersive puts it: "Experience teaches what to do next – until the next thing has never happened before."
[9]
Training completion itself remains inconsistent. The report notes an average completion rate of 81 percent, meaning nearly one in five participants do not finish the exercises they start.
Hadley argues the industry must shift from confidence built on assumptions to readiness grounded in evidence. "True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption."
"Experience teaches what to do next, until the next thing has never happened before," added Hadley. "Even the most seasoned teams must evolve as fast as the threats they face." ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/11/03/europe_power_grid_security/
[6] https://www.theregister.com/2025/10/27/breach_iran_ravin_academy/
[7] https://www.theregister.com/2025/10/02/pentagon_relaxes_military_cybersecurity_training/
[8] https://www.theregister.com/2025/10/01/school_cyberattack_recovery/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRtUpj1V_92EvQB8faDkpAAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
security spending goes up
cookiecutter
and still so do incidents
maybe if spending on the basics went up instead of down, we wouldn't be in this mess!
solid infrastructure teams... NOT devops
forcing developers to actually do their jobs, give them time to deliver good solid software. guaranteed if the security is shit in the code, the code itself is shit. write good performative code & the security will follow.
good solid code = less need for customers to patch
good solid infrastructure teams = well architected infrastructure & patched hardware/software
for some fucked up reason (shareholder profits) we see infrastructure teams devastated, cybersecurity spend going up as the EU will make CEos responsible yet NOTHING will change because the foundations are shit. "agentic ai" will be used in SOCs instead of good engineers. the AI companies can say "well they took the human out & must have setup the agents wrong" & the CSuite will say "well ticked the box for a SOC"; tge consultancies will wander off with their $millions, the UK will still be funding indian, polish & south african IT industries while 10,000s of us here are out of work.
I swear if the job comes up to do the IT for the Chinese embassy in london, I'll take it & if ever approached by a couple of guys called John with regulation haircuts asking me to do them a "patriotic favour" , I'll tell them openly to fuck off! And then put it online
Well they might have only hit 22% accuracy and taken a working day to finishe the simulation but they did 100% tick the box which asked if they "have carried out mandatory security recovery test".
This is a nice advert but says nothing we don't know.
You can't get experience without running drills and most security teams are not permitted time away from the day job so the only experience they are permitted to gain is through live incidents.
Businesses won't pay for or allow time for incident managment training
Businesses have stripped security and IT teams to a skeleton crew so no one is left to run an incident.
Businesses often like to have a business manager as the incident lead who knows nothing about security, IT or incidents. But knows a lot about shareholder value and PR.